External Connectivity

External Connectivity

Allowing traffic to the Internet

Next, we will allow external traffic to the Group Provider. Go to Project | Policy | Groups and in the tab External click Create External Group. Provide internet as the name for this group and click Next.

As we want to use separate contract for access from internet, we will create new Policy Rule Set in Consumed Policy Rule Set by clicking +:

Use contract_internet as the name for this contract and click Next

Select ssh-policy as this is the policy group we want to use and click Create

Confirm the selection of contract_internet as the Consumed Policy Set and click Create

Confirm the selection of contract_internet as the Consumed Policy Set and click Next

Select the public segment as external connectivity and click Create

Now you should see a new Group representing public Internet

Now, include contract_internet to the provided contracts for group-provider. Go To Internal tab and click Edit next to the group-provider

L3 Policy

Next we create L3 policy for external communication. Go to Project | Policy | Network and Services Policy and click Edit button of the default L3 policy created by OpenStack.

Click + to create a new external segment

Click Create to confirm the creation

Select the external segment and click Save Changes

You should see the updated External segment of default L3 Policy. External IP adress begins with 169. that means it is a private IP, which is used for internal addresses (something as linklocal). In fact a router in the network topology was created the will link the corresponding networks with outside Internet.

You can check the new L3 policy and contract_internet in CISCO ACI.

The last step is to associate a Floating IP to vm-provider. Go To Project | Access & Security select the Floating IPs tab and click Allocate IP To Project. Then confirm the allocation by clicking Allocate IP

Click Associate button

In the following dialog, select the port of vm-provider instance and click Associate